The Center for Internet Security, Inc. (CIS) published: Managing Cybersecurity Supply Chain Risks in Election Technology: A Guide for Election Technology Providers, the first of its kind for the election technology industry. The goal of the guide is to help identify significant cybersecurity supply chain risks for products and to choose appropriate risk mitigation approaches to meet the risks.
Hardware, firmware, and software that are in the election technology supply chain are covered, as is IT that ships with election equipment. It also includes externally sourced tools used to develop hardware and software in-house, such as software development kits, code libraries, IT infrastructure, and the tools used to create, manage, and maintain that infrastructure.
The guide provides a set of attacker goals, the expected threat space, the most common attack types on supply chains, and an analysis of each election infrastructure component and the supply chain threats impacting them with mitigation approaches. It also includes a non-technical overview of cybersecurity supply chain risk management and offers a process for identifying and managing suppliers based on a prioritization of risk to election technology products and services.
The guide stresses the importance of reviewing and re-assessing suppliers at regular intervals and verifying and monitoring products prior to and during production, aiding in the development and implementation of a meaningful election technology supply chain risk management program. The guide can be found at: https://www.cisecurity.org/elections-resources/.